Access Policy doubt

Similar Messages

• [OIM 9.1.0.2] Access Policy being evaluated to an OIM user disabled.

  Hi Gurus,
  I have an Access Policy being evaluated and provisioning resource (AD) to an OIM user disabled.
  Any tip on what I should take a look?
  Thanks in advance.

  Hi all,
  I have configured out the XL.EvaluateMembershipForInactiveUser System Property as TRUE, but the membership rule does not get evaluated for disabled users. So the user still remain into the group. I have restarted the OIM.
  I need to active the Evaluate User Policies schedule task for this configuration be effective. Or should I do something more?
  Thanks a lot.

• How to track a request id through an access policy in OIM

  lets say User-A requests a job role on behalf of User-B and this job role has a access policy attached to it, to provision the user to AD and SAP.
  Now we want an email sent to user-A (i.e the user-A who is responsible for job role assignment which made the access policy to trigger the provisioning of User-B to the SAP ) once User-B is provisioned to an Resource for the first time.

  You can find the personA usr_key from upp and upd table.
  In upp table it is Coulmn name UPP_UPDATEBY
  In upd table Coulmn name is UPD_CREATEBY
  and for the status check the coulmns (UPD_ALLOW_LIST,UPP_ALLOW_LIST)
  Thanks..
  Edited by: IDMuser19 on Sep 2, 2010 3:27 PM

• Not able to get the AD organizations list while creating access policy

  Hi All,
  Had created IT Resource for AD server, and was able to successfully connect to it. And Now when I try to create a access policy, where I am not able to view any organization from AD.
  Can someone please let me know how to resolve this.
  Thanks in advance.....
  Regards
  Arun

  Please check the error log which I am getting when I ran the schedule job
  ======= Start Stack Trace =======================>
  <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <com.thortech.xl.schedule.tasks.ADLookupReconTask : performReconciliation>
  <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]>
  <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <Description : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecu
  rityContext error, data 52e, vece ]>
  <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <com.thortech.xl.exception.ConnectionException: [LDAP: error code 49 - 80090308: LdapErr: D
  SID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
  at com.thortech.xl.schedule.tasks.ADLookupReconTask.performReconciliation(Unknown Source)
  at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Source)
  at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:384)
  at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
  at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
  at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
  >
  <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <================= End Stack Trace =======================>
  Based on which I had checked the credentials I provided, and they are correct. I am able to connect to AD with same credentials when I create new IT Resource.
  Not sure what went wrong
  Regards
  Arun

• ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

  Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
  ACS version: 5.3.0.40.6 (internal build B.839)
  I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
  Requested Identity Group exist
  Testing user is created in Internal Users and has assigned requested Identity Group
  Radius Access Policy: 
  Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
  Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
  When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
  I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
  What I am tested:
  Remove testing user and create his account again.
  Rename Identity Group
  Use another Identity Group
  Remove Access Policy rule and create it again
  Use Compound Condition: System:Identity Group
  Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
  Do you have any idea where problem can be?

  OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

• Android MS RDP - RPC Error: Your connection was denied because of a Resource Access Policy (TS_RAP). Please contact your server administrator. (2147965402).

  I love iTap Mobile.  Paid for the app.  Sorry to see them discontinue it, but now I know why.  Microsoft bought them out!  But even though free, I am getting an error: RPC Error: Your connection was denied because of a Resource Access
  Policy (TS_RAP). Please contact your server administrator. (2147965402).  I worked with iTap to fix this so I guess they sold Microsoft their older buggy code...  Microsoft, please fix!
  PS: This is the Android version.  Mac and iOS are both okay.
  EDIT:  After an update a few months ago, iOS is no longer working.  Not sure if the problem is related to the Android MSRDP issue.
  UPDATE - Relevant posts (need Android RDP software engineer to fix):
  Event Viewer Log when using Android client:
  The user
  "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
  is most likely for logging into RD Web - icons shows up).
  The
  user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
  The following error occurred: "23002".  (This is after clicking on any
  of the icons).
  I
  think the Android MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".
   It should be the RD Connection Broker's hostname, I believe.
  Here's what it should look like (connected using a Windows PC going
  through the RD Web portal via Internet Explorer):
  The user "DOMAIN\testuser", on client computer "10.x.x.x", met connection
  authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
  The user "DOMAIN\testuser", on client computer "10.x.x.x", met resource
  authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
  The user "DOMAIN\testuser", on client computer "10.x.x.x", connected
  to resource "rdsfarm.domain.com".
  Stephan,
  Do you have any way to contact the software engineer who worked on the Android version of the RDP client?  Please
  have them read this thread.  They need to fix the hard coded "localhost" resource to be a variable (namely whatever the user put in for the server).
  This is why the MS RDP app is failing in situations where the FQDN for the RD Gateway and Connection Broker uses
  the same host name.
  Again, this is not a configuration problem on our end as it works as intended with the native Windows RDP client
  as well as the Mac and iOS version of the mobile RDP client (all based on iTap Mobile's RDP app).
  This is a problem specific to the Android RDP app.
  PS: No matter how hard I try, the WYSIWYG editor is not very WYSIWYG at all, and so everything here looks messed up even though it looked right when I posted it (it is deleting new blank lines I'm inserting to make it spaced out and easier to read). See
  below to read the post in context.

  Thanks for the bumps, everyone.  I haven't check this thread in a while because I basically gave up on Microsoft's ability to respond.  Unlike paid apps, there's no number to call or ticket to open when an app like this malfunctions.
  Just to give you an update, iOS users started having issues connecting a few months ago.  I don't remember what version started this.  I'm not sure if it's the same problem.
  Also, the newest version now gives a slightly different error message:  RpcOverHttpEndpointException: 2, Your connection was denied because of a Resource Access Policy (TS_RAP).  Please contact your server administrator.
  For Android users, I am starting to recommend Xtralogic Remote Desktop Client.  It's a paid app, but it works great.  I don't know of any alternative for iOS.
  MSRDP for Mac OSX (was also an iTap application) continues to work throughout the many updates.
  We need a software engineer from MS to read my first post.  All the information that will point to a fix is there.  I strongly believe someone hardcoded the string "localhost" instead of using a variable to point to the FQDN of the rdsfarm
  name.
  Here's that info again (copied/pasted).  It doesn't take an engineer to understand the issue.  If you know how to decipher Event Logs, you can see where the problem is.
  Event
  Viewer Log when using Android client:
  The
  user "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
  is most likely for logging into RD Web - icons shows up).
  The
  user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
  The following error occurred: "23002".  (This
  is after clicking on any of the icons).
  I
  think the Android MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".
   It should be the RD Connection Broker's hostname, I believe.
  Here's
  what it should look like (connected using a Windows PC going through the RD Web portal via Internet Explorer):
  The user "DOMAIN\testuser", on client computer "10.x.x.x",
  met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
  The user "DOMAIN\testuser", on client computer "10.x.x.x",
  met resource authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
  The user "DOMAIN\testuser", on client computer "10.x.x.x",
  connected to resource "rdsfarm.domain.com".

• RemoteApps Error "Your connection was denied because of a Network Access Policy (TS_NAP). Please contact your server administrator."

  Hello All,
  Good day. May I ask if anyone experienced this error when trying to access remoteapps in Azure? We are using IaaS and set-up RDS using Windows 2012 R2 but we are getting an error below.
  "Your connection was denied because of a Network Access Policy (TS_NAP). Please contact your server administrator.
  Various roles and services (Broker, Session Host, RD Gateway and Web Access are installed on each VMs).
  Please advise.
  Thanks,
  Glenn

  Hi Glen;
  Looks like the set up was not done correctly. Please follow the guidelines given on this
  blog by Keith Mayer.
  Regards;
  Prasant

• E1200 V2 with no "internet access policy" in built-in web-based setup

  I just bought a factory refurbished E1200.  The label on the bottom says it is a Version 2 model.  When I purchased it, it was loaded with 2.0.02 firmware but I upgraded the firmware to 2.0.04
  My problem is that I'm trying to setup MAC address-based restrictions thru the manual/web-based setup and when I click on the "Access Restrictions" tab, I only have simple "Parental Controls" and not the advanced "Internet Access Policy".
  Is it possible that I have a mislabeled V1 device?  If that is the case, how is it that I was able to upgrade the firmware using firmware from the V2 downloads section.
  Do V! and V2 units use the same firmware but  more importantly, how do I upgrade the built-in software so that I have the advanced "Internet Access Policy" controls?
  Thanks!
  Eric
  Solved!
  Go to Solution.

  Very strange indeed then!  My subtab only has "Parental Controls" listed.  
  I've compared it to the one shown here  ( http://ui.linksys.com/files/E1200/2.0.00/inter_access.htm ) - and mine does not look like this at all!
  I think i have a mislabeled V1 model or at least V1 software loaded,
  Does anyone know if it is possible to download and reload the software that is built in to the router or do I need to return it and get a (hopefully) new one?
  Thanks!
  Eric

• [OIM 9.1.0.2] RESOURCE NOT REVOKED BY ACCESS POLICY WHEN USER DISABLED

  Hi Experts,
  OIM Build Number: 1866.62 ( BP15 )
  IHAC that faced an unexpected behavior on User disabling.
  Some users were associated to groups that had access policies applied.
  When those users were disabled, they didnt lose their associated groups and also the resource and permission associated thru access policy applied to those groups.
  I saw that there was a bug reported to that issue. So I performed the action plan and set up the XL.EvaluateMembershipForInactiveUser System Property as TRUE. Now after disabling the users are properly removed from groups.
  Customer problem: For those users, almost 1000, I did a recon just to estimule the identity, so the membership rule was applied and the groups were removed, but OIM didn't evaluate the access policies and didn't revoke the resources.
  I ran the Evaluate User Policies task, and it seems to be stuck. Should the Evaluate User Policies schedule task work for that scenario? Should the resource after running that task be revoked?
  Any help would be very appreciated.

  Hi Nishith,
  I ran the task, but it seems really stuck. It displays the RUNNING status, but any effect is observed. I have to change task status to INACTIVE in the Design Console.
  This task has 2 attributes: Batch Size= 500 and Number of Threads=20.
  But I have noticed this task in another environment (w/ BP 18 applied), it has 3 attributes: Batch Size= 500 ; Number of Threads=20 and Time Limit in mins=1.
  Is it any enhancement for this task in order to improve its performance, or something like that?
  What else I can check?
  Thanks in advance.

• OIM 11g R2 - AD provisioning based on Role and Access Policy

  Hi, for Active Direcotry integration i used some prepopulation plugin for populationg resource form (based on http://fusionsecurity.blogspot.sk/2013/01/populating-request-attributes-in-oim.html).
  It's work fine - requested account was fully provisioned.
  Can i use this plugins for Role based provisioning?
  I try to create access policy and associated role but when attached the role to the user and run Evaluate User Policies Job, account can't be provisioned.
  In diagnostic.log i found.....
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Immediate consequences are returned with event - InitiatePolicyEvaluationAndProvisioning
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Next Waiting child process is ..........6380 sync = false
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] First Waiting child process is ..........6380
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel executing default validation with process id, event id, entity and operation 6,380.0.Resource.ACCESS_POLICY_BASED_PROVISION
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel completed the child orchestration - 6380.6379
  [oracle.iam.platform.kernel.dao] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Inserting records for orchestration cleanup
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Completed orchestration with action result - 113

  Hi, all
  I try to fill Access policy Process Form. Account request was created and provisioned when field AD Server and Organization Name was filled in, but pre-population plugin doesn't fired
  The question is.... How can i use pre-population plugin for populating request dataset used with request generated by access policy....
  Is it possible to use plugins for requests generated based on access policy?
  a.

• 8.0.6-119 on S160 can no longer see past the second access policy

  We upgraded an S160 to 8.0.6-119 today and now the appliance is not authenticating groups beyond restricted internet and information technology.  For example Access Policy #6 is called Marketing.  It has access to Streaming Media and Social Media (like youtube, facebook, twitter).  They are the marketing department that needs this access to do their job.  The identity policy is authenticated_users but it keeps falling under the last access policy "Global Access Policy" which results in request blocked based on URL category.
  I just don't get it.  Authenticated Users is selected to windows realm which the wsa joined to the domain and has 3 DC's and a CDA virtual appliance tied to it.  I don't see that being the issue because the policy trace correctly brings back all AD groups the user is tied to.  The scheme is Use Kerberos or NTLMSSP.  
  Next under access policies there are 14 of them before the global policy.  They are all authenticated users and pointed to the proper active directory groups.  Marketing is 6 out of 14 (not counting the non-numbered Global Policy at the bottom).
  So what could the issue be?

  I opened a case with TAC but have not heard back.  However it seems things are working now.  Perhaps they contacted in and corrected an issue but haven't had the chance to tell me what they did.  I have remote access enabled for Cisco TAC.
  Now when I do the policy trace, It actually applies the Marketing access policy, and AVC actually see's this is Facebook General (Facebook) in this case.  Before I think it said none for everything and access policy was global.

• Access Policy is not getting trigggered after creation of user through GTC

  Hi,
  I have an access policy for ALL USER role and that provision users to an RO after getting created in oim. I have a trusted source flat file reconciliation GTC for user creation. I am facing issue when user is getting created through GTC, access policy is not getting triggered. But while creating an user through web console the same access policy is working fine and user is getting provisioned with RO.
  If anybody have any idea how to resolve this, please help me in this regards.
  Regards,
  Avijit

  Hi ,
  its good to know that its working. As per my experience it works for once (through reconciliation) but then stops working. Now to confirm try to revoke the user by changing the group member-ship through reconciliation and see if the resource is revoked or not (repeat it for 2 -3 times). Note that don't do it form within IDM web admin console, do it through reconciliation.
  do post your results.......
  Regards.

• How to Apply a Newly Created Access Policy on Existing Users in OIM????????

  How to Apply a Newly Created Access Policy on Existing Users in OIM?
  When the rule is getting failed the user is getting removed from the group but resource is not getting revoked. This is happening only for the old uses..for the users which i created now it working fine..i mean its resource is getting revoked.
  (Retrofit access policy" is checked on the Access Policyand Revoke if not longer applied is checked.)
  For the old users i see the POl_Key is null, for new users i see a value '10'. So i updated the pol_key for old users same as it got generated for new users '10'.
  i even updated the form version too but still revoke doesn't work.
  I cant go for the below approach..
  In order to apply a newly created Access Policy on existing users, one has to make sure that:
  1) "Retrofit access policy" is checked on the Access Policy.
  2) Then run the "Set User Provisioned Date" Schedule task to apply the Access Policy on the existing users in OIM.
  Note: After 9.1.0.1 BP03 the access policy execution has been moved to a new scheduled task "Evaluate User Policies" as mentioned inDocument 839368.1 :How to Use Access Policies to Provision with Groups.
  Is there any other approach i can try.. if you have any idea please reply me asap
  Thanks..

  Thanks for the reply kevin..
  We decided to try the Schedule task (Set User Provisioned Date).
  But i see one problem here after seeing this post in metalik --> Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation? [ID 1136540.1]
  According to this post Access Policies framework does not manage users who are obtained either through trusted reconciliation or target reconciliation.
  Is there any custom way to achieve this??
  How does the access policy framework revoke resource work? (revoke if no longer applies)??
  Edited by: IDMuser19 on Jun 21, 2011 11:43 PM

• Changes in Solaris 10 Patch Access Policy

  Solaris 10 x86 User Community
  As of November 29th, Sun will be changing its Solaris 10 patch access policy. Now that Solaris 10 is freely available, support services require the purchase of a Sun Service Plan.
  Under this new policy, access to patches is restricted. Security fixes and hardware driver updates are publicly available for free, but access to all other patches requires a Sun Service Plan.
  Please see http://www.sun.com/service/sunconnection/solaris10patches.html for available access options.
  Please send any questions to [email protected]

  hi,
  As a technical specialist I can understand everyone needs revenues to keep on going. But $120 for a min. level service plan it's really foolish on the policy makers. This would result in severe dent for the Solaris initiative itself in the long run. There should be reasonable pricing model, especially when Sun is projecting Solaris as an alternative to Linux! I do strongly suggest as a loyal Sun developer since 1996 to re-consider the service plan rates.
  thanks,
  Su37

• Issue with UAG/TMG communication to published SharePoint application is blocked by access policy settings

  We have a UAG/TMG server set up with SharePoint published. The UAG is also doing load balancing for the SharePoint farm. We have an MDM application that is trying to connect to our SharePoint but our SharePoint is routed through the UAG. The MDM application
  does not need to be published neither is there any component that can be accessed directly by end users. It is more of a proxy to relay content to mobile devices. It is using 443 and two other secondary ports.
  On the TMG logs, we can see requests hitting the TMG over port 443 from the MDM application server. We can also see that it is trying to be routed to our SharePoint but we get the following error in the TMG log:
  “Filter information: A request from source IP address xx.xx.xx.xx, user to trunk portal; Secure=1 for application SharePoint of type SharePoint15 failed. The endpoint device does not comply with access policy settings ([%PolicyId%]) for session [%SessionId]”
  The source IP is the internal IP of the host running the MDM application. In the UAG side, under the SharePoint publishing rule, for Access Policy Settings we have tried selecting the 'Always' option but that had no effect. It appears like there is a policy
  blocking communication to SharePoint. Does anyone have a suggestion on which policy or where the policy that is controlling this is located so that we can try to resolve this issue? Thanks.

  Looking at the UAG Web Monitor, it says that the access policy is 'Hybrid_Default_Session_Access' and the URL is /_vti_bin/Webs.asmx. 
  We can't find a 'Hybrid Default Session Access' policy. In the Endpoint Policy Settings tab, we tried using 'Always' for the Access Policy for the published SharePoint application but that did not make any difference.